Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert hunting, research and content.
Defend brute force attacks, active intrusions and unauthorized scans.
Safeguard endpoints 24/7 by isolating and remediating threats to prevent lateral spread.
Investigation and enhanced threat detection across multi-cloud or hybrid environments.
Configuration escalations, policy and posture management.
Detects malicious insider behavior leveraging Machine Learning models.
Customer testimonials and case studies.
Stories on cyberattacks, customers, employees, and more.
Cyber incident, analyst, and thought leadership reports.
Demonstrations, seminars and presentations on cybersecurity topics.
Information and solution briefs for our services.
MITRE ATT&CK Framework, Cybersecurity Assessment, SOC Calculator & more
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
IcedID first emerged in 2017 as a capable, widely observed banking trojan. Beginning in 2020, IcedID was identified as a precursor to ransomware attacks such as Egregor, Maze and Conti and has historically utilized email as its delivery vector.
In December 2022, TRU began observing IcedID infections that were traced to payloads downloaded by users from the Internet. This observation coincided with a general uptick in successful IcedID infections in Q4 of 2022, which saw 35% percent of IcedID incidents for the period between January 2022 and January 2023 (Figure 1).
The activity in Q4 2022 was a mixture of email and drive-by infections. However, since mid-late December 2022, observed IcedID infections have originated exclusively via drive-by attacks, specifically Google Search Ads targeting common applications.
Malicious Google Search Ads are nothing new, but TRU has observed an increase in their use to deliver information stealing malware and IcedID in 2022 and 2023. For IcedID specifically, TRU has observed malicious ads targeting applications such as Slack, Docker, TeamViewer, Microsoft Teams, Basecamp and Adobe Reader (among others), as seen in Figure 2.
Search ads utilize the auction-based Pay-Per-Click (PPC) model. Advertisers can enter a maximum bid for certain search keywords to display their ad so long as their bid is more than another advertiser’s bid. Additionally, Ads Keyword Planner, a free tool, provides an estimate for top of page bids where an advertiser can ensure their ad is shown at the top of the search results for specific keywords (usually at a premium).
For example, as of January 2023, one would need to place a maximum bid of $4.30 per click to have an ad displayed at the top of a search for “slack download”. Therefore, a top of page ad bid for 1000 clicks could cost between $1330 and $4300 USD. This cost is unlikely to be a significant barrier to threat actors who are likely using stolen payment data.
|Keyword||Currency||Avg. monthly searches||3-month change||YoY change||Competition||Competition (indexed value)||Top of page bid (low range)||Top of page bid (high range)|
|Avg. monthly searches||135,000|
|Competition (indexed value)||3|
|Top of page bid (low range)||1.33|
|Top of page bid (high range)||4.3|
Abusing search ads also provides some degree of curation in terms of ideal targets. This is reflected by both the keywords targeted (primarily software used in corporate environments) and audience segments, which includes detailed demographics, interests, intents and other attributes estimated by Google (Figure 3).
Google does use a review process for new ads to ensure compliance with their ad policy, including malicious software. It’s not immediately clear how threat actors are circumventing these compliance checks.
Cloaking is a common tactic used to hide malicious content from all but the intended victim. An example of traffic redirection can be seen in Figure 2 above, where slackapp[.]tech is the ad link, but the final content is hosted on wvwslack[.]top. Another example can be seen in Figures 4 and 5 below, where a download page impersonating Docker leads to the legitimate Docker binary. However, in a subsequent review, the page leads to an IcedID payload host on Google FireBase storage.
In mid-January 2023, a customer endpoint became infected with IcedID originating from a website masquerading as Adobe Reader. The victim arrived on the website (vwv-adobe[.]top) from clicking a Google Search Ad for Adobe software (Figure 6).
The setup file (6718a804f5d5064fa3b918d844fd727d) is padded to inflate its size to over 700MB to inhibit automated inspection. When executed, IcedID executes an initial round of reconnaissance commands and initiates a check-in with the C2 (qsertopinajil[.]com), as seen in Figure 7.
The living-off-the-land reconnaissance commands used are not indifferent than what TRU has observed with malware whose objective is delivering footholds to hands-on-keyboard adversaries. The output from these commands provides a quick summary of the foothold’s worth and is likely used to triage and prioritize the most valuable footholds.
WMIC /Node:localhost /Namespace:\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List ipconfig /all systeminfo net config workstation nltest /domain_trusts nltest /domain_trusts /all_trusts net view /all /domain net view /all net group "Domain Admins" /domain
Within 30 minutes, IcedID attempted to execute a PowerShell script (ozye.txt) using fodhelper.exe to bypass UAC but was blocked from doing so.
Our team of 24/7 SOC Cyber Analysts retrieved the PowerShell script from the system and determined it contained a Cobalt Strike Beacon loader (f36c8d12db66730f3cf94d28331b90ac) configured to spawn and inject into a child PowerShell process. The beacon was configured to communicate with poasnm[.]com using HTTP and spawn using regsvr32.exe.
Our SOC identified suspicious reconnaissance activity on a customer endpoint and immediately notified the customer while an investigation took place. The case was escalated when the blocked Cobalt Strike activity occurred and the system was immediately contained.
General Guidance for Users:
Guidance for IT:
|www-goto-com[.]top||IcedID Download Page|
eSentire’s Threat Response Unit (TRU) is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.
If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.
Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.
Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our Atlas XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.